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Abstract 

A  proof  of  the  soundness  of  Tofte’s  imperative  type  discipline  with  respect  to  a  structured  operational 
semantics  is  given.  The  presentation  is  beised  on  a  semantic  formalism  that  combines  the  benefits  of  the 
approaches  considered  by  Wright  and  Felleisen,  and  by  Tofte,  leading  to  a  particularly  simple  proof  of 
soundness  of  Tofte's  type  discipline. 
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1  Introduction 


The  extension  of  Damas  and  Milner’s  polymorphic  type  system  for  pure  functional  programs  [2]  to  accomo¬ 
date  mutable  cells  has  proved  to  be  problematic.  The  naive  extension  of  the  pure  language  with  operations 
to  allocate  a  cell,  and  to  retrieve  and  modify  its  contents  is  unsound  [11].  The  problem  has  received  consid¬ 
erable  attention,  notably  by  Damas  [3],  Tofte  [10,  11],  and  Leroy  and  Weiss  [7],  Tofte's  solution  is  based  on 
a  greatest  fixed  point  construction  to  define  the  semantic  typing  relation  [1 1]  (see  also  [8]).  This  method  has 
been  subsequently  used  by  Leroy  and  Weiss  [7]  and  Talpin  and  Jouvelot  [9],  It  was  subsequently  noted  by 
Wright  and  Felleisen  [13]  that  the  proof  of  soundness  can  be  substantially  simplified  if  the  argument  is  made 
by  induction  on  the  length  of  an  execution  sequence,  rather  than  on  the  structure  of  the  typing  derivation. 
Using  this  method  they  establish  the  soundness  of  a  restriction  of  the  language  to  require  that  let-bound 
expressions  be  veilues.  In  this  note  we  present  an  alternative  proof  of  the  soundness  of  Tofte’s  imperative  type 
discipline  using  a  semantic  framework  that  is  intermediate  between  that  of  Wright  and  Felleisen  and  that  of 
Tofte.  The  formalism  considered  admits  a  very  simple  and  intuitively  appealing  proof  of  the  soundness  of 
Tofte’s  type  discipline,  and  may  be  of  some  use  in  subsequent  studies  of  this  and  related  problems. 

2  A  Language  with  Mutable  Data  Structures 

The  syntax  of  our  illustrative  language  is  given  by  the  following  gramme; 

expressions  e  ::=  ^  |  /  |  unit  |  ref  e  |  ei  :=e2  1  f  I  cj  e-t  \  let  J'beri  infj 

values  I  ::=  x  |  /  |  unit  |  Xx.e 

The  meta- variable  x  ranges  over  a  countably  infinite  set  of  variables.  aii<l  the  met, -i- variable  I  ranges  over 
a  countably  infinite  set  of  locations.  In  the  above  grammar  unit  is  a  constant,  ref  and  !  are  one-argtimeni 
primitive  operations,  and  :=  is  a  two-argument  primitive  operation,  (’apture-avoiding  substitution  of  a  value 
('  for  a  free  variable  x  in  an  expression  e  is  written  [t'/x]e. 

The  syntax  of  type  expressions  is  given  by  the  following  grammar: 

monotypes  r  ::=  t  |  unit  |  r  ref  |  n —ro 

polytypes  cr  ::=  r  j  Vf.tr 

The  meta-variable  t  ranges  over  a  countably  infinite  .set  of  type  variables.  The  symbol  unit  is  a  distinguisln'd 
baise  type,  and  types  of  the  form  rref  stand  for  the  type  of  references  to  values  of  type  r.  The  set  FTV(rr) 
of  type  variables  occurring  freely  in  a  polytype  <t  is  defined  as  usual,  as  is  the  operation  of  capture-avoiilitig 
substitution  of  a  monotype  r  for  free  occurrences  of  a  type  variable  t  in  a  polytype  rr.  written  [r/t]fT. 

.\  variable  typing  is  a  function  mapping  a  finite  set  of  variables  to  polytypes.  The  meta-variabh'  ranges 
over  variable  typings.  The  polytype  assigned  to  a  variable  x  in  a  variable  typing  y  is  ■ylx),  and  the  variable 
typing  7[x:(t]  is  defined  so  that  the  variable  x  is  ^lssigned  the  polytype  it.  and  a  variable  x'  ^  x  is  .-ussigned 
the  polytype  y(x').  The  set  of  type  variables  occuring  freely  in  a  variable  typing  7.  written  FTV(7).  is 
defined  to  be  Uredomoi  ^  location  typing  is  a  function  mapping  a  finite  set  of  locations  to 

monotypes.  The  meta-variable  A  ranges  over  location  typings.  Notational  conventions  similar  to  those  for 
variable  typings  are  used  for  location  typings. 

Polymorphic  type  assignment  is  defined  by  a  set  of  rules  for  deriving  judgements  of  the  form  A:7  I-  r  :  r. 
with  the  intended  meaning  that  the  expression  e  has  type  r  under  the  assumption  that  the  locations  in 
e  have  the  monotypes  ascribed  by  A,  and  the  free  variables  in  c  have  the  polytypes  .a-scribed  by  y .  The 
rules  of  inference  are  given  in  Table  1.  These  rules  make  use  of  two  auxiliary  notions.  The  pntymorphii 

instance  relation  (t  >  r  is  defined  to  hold  iff  <t  is  a  polytype  of  the  form  V<i . Vt„.r'  and  r  is  a  monotype 

of  the  form  [ri, .. .,  T„/ti ,... .  t„]r',  where  rj ,  . . . ,  r„  are  monotypes.  This  relation  is  extended  to  poly  types 
by  defining  (T  >  <r'  iff  <t  >  r  whenever  <r'  >  r.  The  polymorphic  generalization  of  a  monotype  r  relative 

to  a  location  typing  A  and  variable  typing  7,  Close*;,,(r),  is  the  polytype  Vti . Vt„.r,  where  FTV(r)  \ 

(FTV(A)UFTV(7))  =  {  <1 . <n  }•  Asa  notational  convenience,  we  sometimes  write  AI-p:rforA;(llt-r:r 

and  Close^lr)  for  Clo8ex.#(r). 

The  following  lemma  summarizes  some  important  properties  of  the  type  system: 

L^-/|  I 


l 


\\-y\-x:T  (7(x)>r) 


A;7  H  /  ;  rref  (A(/)  =  r) 


A;  7  I-  unit  :  unit 


(TRIV) 


A;  7  h  e  :  r 
A;7  H  ref  f  :  rref 

A;  7  I-  ei  :  r  ref  A;7  I-  fo  :  r 
A;  7  h  ei  :=  ej  :  unit 

A;7  I-  e  :  rref 
A;7  H  !e  :  r 


A;7[x:rt]  h  r?  ;  r2 
A;  7  t-  Ax.e  :  rj — Vn 


(x  4  (lom(7)) 


A; 7  h  ei  :  ro— r  A;7  I-  ^2  •  ’■-> 

A;7  I-  ei  €2  :  r 


A;7  H  ei  in  A;  7[x:  CloseA.->(n  )] 
A;  7  I-  let  x  beei  in  62  :  ti 


(x  ^  dom(7)) 


(ASSIGN) 


(retrieve) 


Table  1:  Polymorphic  Type  Assignment 


/1 1“  l>  =>  t>,/l 


(VAL) 


» 


/I  H  e 

/i  I-  ref  e  ^ 

ti\-  e  ^  I, 


(/  ^  dom(/i')) 


H\-\e  n'(l),n' 

(t\-  ei  =>  l,iti  /i|  I-  ^2  ^ 

/i  I-  «i  1=62  ^  unit,/i2[/;=i’] 

/I  h  ei  ^  Aar.e'i, /ii  /ii  t- 63  ^  V2,M2  #^2  •“  [«2/*]e'|  ^  v, /i' 

/I  I-  Cl  C2  =» 

/i  I- ei  ^  [v\lx\e-i  ^ 

H  H  let  X  be  e  1  in  62  i'2 ,  /J2 


Table  2:  Operational  Semantics  for  References 


(alloc) 

(contents) 

(UPDATE) 

(APPLY) 

(BIND) 


Lemma  2.1 

I.  (Weakening)  Suppose  that  A;*/  I-  c  :  r.  //  /  ^  <lom(A).  then  A(/:r):*;  I-  /  :  r.  and  if  t  ^  ilom(*0.  then 
X:-,[x:eT]  H  e_:  r. 

J.  (Substitution)  If  A;  7  t-  c  :  r  and  A;  7[x:(r]  I-  e'  :  r' .  and  i/CIospa  ,(r)  >  a.  then  A;-,  I-  [I'/j’jr'  :  r' 

i.  (Specialization)  If  A;  7  h  e  :  r  and  (’’IoscxaIt)  >  r' .  the  A;7  I-  r  :  r' . 

The  proofs  are  routine  inductions  on  the  structure  of  typing  derivations.  Substitution  issinted  only  for  values, 
in  recognition  of  the  fact  that  in  a  call-by-value  language  only  values  are  ever  substituted  for  variables  during 
evaluation. 


» 


» 


3  Semantics  and  Soundness 

A  memory  fi  is  n  partial  function  mapping  a  finite  set  of  locations  to  values.  The  contents  of  a  location 
/  €  dom(/i)  is  the  value  /i(/).  and  we  write  p[/:=[i]  for  the  memory  which  ;«ssigns  to  location  /  the  value  r  I 

and  to  a  location  ^  /  the  value  fi{l').  Motice  that  the  ri'suli  may  either  be  an  update  of  /r  (if  /  €  ilom(p)) 
or  an  extension  of  /i  (if  /  ^  dom(/i)). 

The  operational  semantics  of  the  language  is  defined  by  a  collection  of  rules  for  deriving  judgements  of 
the  form  ^  h  e  ^  e./i',  with  the  intended  meaning  that  the  closed  expression  e.  when  evaluated  in  memory 
ft,  results  in  value  f  and  memory  n' .  The  rules  of  the  semantics  are  given  in  Table  2, 

The  typing  relation  is  extended  to  memories  and  location  typings  by  defining  /i  :  A  to  hold  iff  dom(/i)  =  I 

dom(A),  and  for  every  /  €  dom(/i),  Ah/:  A(/).  Notice  that  the  typing  relation  is  ilefined  so  that  /i(/) 
may  mention  locations  whose  type  is  defined  by  A.  (Compare  Tofte's  account  [11].)  For  example,  suppose' 
that  //  is  the  memory  sending  location  In  to  Ax.x  -h  1,  and  location  /]  to  Aj/.(!/n)i/  -h  1,  and  suppose  that 
A  is  the  location  typing  assigning  the  type  int — int  to  both  /(>  and  fj.  The  verification  that  fi  :  A  requires 
checking  that  A  h  Ay.(!/o)y-h  1  :  int— int,  which  requires  determining  the  type  assigned  to  location  /o  by  A. 

As  pointed  out  by  Tofte  [11],  the  memory  fi'  which  assigns  /i(/i)  to  both  /o  and  /i  can  arise  as  a  result  of  I 

an  assignment  statement.  To  verify  that  :  A  requires  checking  that  A  h  /i(/o)  :  A(/o).  which  itself  relies 
on  A(/o)!  Tofte  employs  a  “greatest  fixed  point”  construction  to  account 'for  this  possibility,  but  no  such 
mrM:hinery  is  needed  here.  This  is  the  principal  advantage  of  our  formalism.  (A  similar  advantage  accrues 
to  Wright  and  Felleisen's  approach  [1.3]  and  was  suggested  to  us  by  them.) 

We  now  turn  to  the  question  of  soundness  of  the  type  system. 
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Coiviecture  3.1  If  fj  h  e  =>  t’.ft'.  and  A  h  e  :  r,  with  ft  :  A.  then  there  ezists  such  that  A  C  A',  ft'  :  A', 
and  A'  H  r  :  r. 

The  intention  is  to  capture  the  preservation  of  typing  under  evaluation,  taking  account  of  the  fact  that 
evaluation  may  edlocate  storage,  and  hence  introduce  “new”  locations  that  are  not  governed  by  the  initial 
location  typing  A.  Thus  the  location  typing  A'  is  to  be  constructed  as  a  function  of  the  evaluation  of  e,  as 
will  become  apparent  in  the  sequel. 

A  proof  by  induction  on  the  structure  of  the  derivation  of  I-  e  u,  /i'  goes  through  for  all  cases  but  bind. 
For  example,  consider  the  expression  ref  e.  VVe  have  /i  H  ref  e  ^  /,  ft'[l:=v]  by  ALLOC,  A  h  ref  e  :  r  ref  by  ref. 
and  ft  :  A.  It  follows  from  the  definition  of  alloc  that  ft  h  e  ^  v.ft'.  and  from  the  definition  of  REF 
that  A  H  e  :  r.  So  by  induction  there  is  a  location  typing  A'  D  A  such  that  ft'  :  A'  and  A'  h  r  :  r.  To 
complete  the  proof  we  need  only  check  that  the  location  typing  A"  =  A'[/:=r]  satisfies  the  conditions  that 
^'[f:=v]  :  A''  and  that  A"  H  /  :  rref,  both  of  which  follow  from  the  assumptions  and  Lemma  2.1(1).  The 
other  cases  follow  a  similar  pattern,  with  the  exception  of  rule  bind.  To  see  where  the  proof  breaks  down, 
let  us  consider  the  obvious  attempt  to  carry  it  through.  Our  assumption  is  that  ft  b  letx  beei  ineo  => 
by  BIND,  A  b  letxbeei  ineo  ■  ft  hy  LET,  and  ft  ■.  A.  It  follows  that  p  b  ej  ^  v\,ft\  for  some  value  ej  and 
some  memory  ft\,  and  that  pi  b  [vi/xjeo  =>  u,ft'.  We  also  have  that  A  b  ej  :  ri  for  some  monotype  ri , 
and  that  A; x; Closexln )  b  eo  :  for  some  monotype  ro.  By  induction  there  is  a  location  typing  A,  3 

such  that  fi\  :  Ai  and  Aj  b  ei  ;  ri.  To  complete  the  proof  it  suffices  to  show  that  Ai  b  [i’i/xJct  ^  f':-  Ihis 
would  follow  from  the  typing  assumptions  governing  Vi  and  e-i  by  an  application  of  Lemma  2.1(2).  provided 
that  we  could  show  that  Close;^,(ri)  >  CloseA(ri).  But  this  holds  iff  FTV(A))  C  FTV(A).  which  does  not 
necessarily  obtain.  For  example,  if  ei  =  ref  (Ax.x)  and  t\  has  the  form  (/ — l)rei.  where  t  does  not  occur  in 
A.  then  C'loseA(ri)  generalizes  t,  whereas  ( 'losej^,  (rj )  does  not.  (This  observ.ation  is  due  lo  Tol'ti\  who  also 
goes  on  to  provide  a  counterexample  to  the  theorem  [11].) 

The  simplest  approach  to  recovering  soundness  is  to  preclude  polymorphic  generalization  on  the  type  of 
a  let-bound  expression  unless  that  expression  is  a  value.  Under  this  restriction  the  proof  goes  through,  for 
we  can  readily  see  that  if  ft  h  c  ^  v' ,  ft',  then  v'  =  v  and  ft'  =  ft.  and  that  if  ft  :  A  and  ft  :  Ai.  wit  It  A|  3 
then  Ai  =  A.  Consequently.  (rioseA, (fi )  =  Closexln)  in  the  above  proof  sketch,  and  ihis  is  sufficient  lo 
complete  the  proof.  Following  Tofte  [11],  we  deem  an  expres-sion  c  non-ezpnnstvr  iff  /r  b  i  =>  c./t'  imi>lies 
ft'  =  ft.  By  restricting  the  bind  rule  so  that  ei  is  non-expansive.  we  ensure  that  Aj  =  A,  which  suffices  for 
the  proof.  Unfortunately  in  any  interesting  language  this  condition  is  recursively  iindeciilable.  and  henci' 
some  conservative  approximation  must  be  used.  Tofte  chooses  the  simple  and  memorable  condition  that  i  i 
be  a  (syntactic)  value. 

The  requirement  that  polymorphic  let's  bind  values  is  rather  restrictive.  Following  ideas  of  MacQueen 
(unpublished)  and  Damas  [.I],  Tofte  introduced  a  moxlification  to  the  type  system  that  admits  a  more 
flexible  use  of  polymorphism,  without  sacrificing  soundness.  Tofte 's  idea  is  to  employ  a  marking  of  type 
variables  so  as  lo  maintain  the  invariant  that  if  a  type  variable  ran  occur  in  the  type  of  a  location  in  the 
store,  then  generalization  on  that  type  variable  is  suppressed.  The  set  of  type  variables  is  divided  into  two 
countably  infinite  disjoint  subsets,  the  imperative  and  the  applicative  type  variables.  A  monotype  is  called 
imperative  iff  all  type  variables  occurring  within  it  are  imperative.  The  typing  rule  for  ref  is  constrained 
so  that  the  type  r  of  e  in  rule  REF  is  required  to  be  imperative.  Polymorphic  generalization  must  preserve 
the  imperative/applicative  distinction,  and  polymorphic  instantiation  is  defined  so  that  an  imperative  type 
variable  may  only  be  instantiated  to  an  imperative  monotype.  In  addition  a  restricted  form  of  generalization, 
written  AppC'lose;^  .^(r),  is  defined  similarly  to  f’losex,-,(r),  with  the  exception  that  only  applicative  type 
variables  are  generalized  in  the  result:  any  imperative  type  variables  remain  free. 

With  the  machinery  of  applicative  and  imperative  types  in  hand.  Tofte  replaces  the  hind  rule  with  the 
following  two  rules: 


A:7  b  t>i  :  n  A;7[x:Clo8ex,.y(ri)l  b  C2  :  r2 
A;7  b  letxbe  V]  ine2  :  r2 


(x  0  dom(7)) 


(bind-val) 


A;7  b  Cl  :  ri  A:7[x:  AppClose;^  ,(ri )]  b  e2  ■  ft 
A:7  b  Ittxbeei  ine2  :  r2 


(x  ^  dom(7)) 


(BIND-ORD) 


I 


I 


» 


» 


I 


I 


I 


» 
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Thus  if  the  let-bound  expression  is  a  value,  it  may  be  used  polyniorphically  without  r<>striction;  otherwise 
only  the  applicative  type  variables  may  be  generalized. 

The  idea  behind  these  modifications  is  to  maintain  a  conservative  approximation  to  the  set  of  type 
variables  that  may  occur  in  the  type  of  a  value  stored  in  memory.  This  is  achieved  by  ensuring  that  if  a  type 
variable  occurs  freely  in  the  memory,  then  it  is  imperative.  The  converse  cannot,  of  course,  be  effectively 
maintained  since  the  location  typing  in  the  soundness  theorem  is  computed  as  a  function  of  the  evaluation 
trace.  We  say  that  a  location  typing  is  imperative  iff  the  type  assigned  to  every  location  is  imperative. 

Theorem  3.2  ///i  H  e  =>  e./i'.  and  A  h  e  :  r.  with  /i  :  A  and  A  imperaltrr.  thru  their  rnsls  A'  sink  that  A' 
IS  imperative.  A  C  A',  n'  :  A',  and  A'  h  r  :  r. 

The  proof  proceeds  by  induction  on  the  structure  of  the  derivation  o(  fih  e  ^  c./i'.  Consider  the  evaluation 
rule  ALLOC.  The  restriction  on  rule  ref  ensures  that  if  refe  :  rref,  then  r  is  imperative.  Consequently,  the 
location  typing  A"  =  A'[j:  :  r]  is  imperative  since,  by  supposition,  A  is  imperative,  and,  by  induction.  A'  is 
imperative.  The  significance  of  maintaining  the  imperative  invariant  on  location  typings  becomes  apparent 
in  the  case  of  the  BIND  rules.  The  rule  BIND-val  is  handled  as  sketched  above,  since  C)  is  a  value,  it  is 
non-expansive,  consequently  A|  =  A.  which  suffices  for  the  proof.  The  rule  BIND-ORD  is  handled  by  observing 
that  regardless  of  whether  Ai  is  a  proper  extension  of  A  or  not.  we  must  have  CloseA,(ri )  >  .Aiipf 'lose^( ri  ). 
for  if  a  type  variable  /  occurs  freely  in  Ai  but  not  in  A.  it  must  be  (by  induction  hypothesis)  im|)erat ivi-. 
and  hence  is  not  generalized  in  AppClose;^(ri )  (by  definition  of  AppClose).  This  is  .sufficient  to  complete 
the  proof. 

4  Conclusion 

\Ve  have  presented  a  simplifie<l  proof  of  the  soutidness  ofTofte's  type  di.scipline  for  combining  [lolymorplnsm 
and  mutable  references  in  .ML.  The  main  contribution  is  the  elimination  of  the  need  for  the  ma.xiiiial  li.xed 
point  argument  used  by  Tofte  [11].  The  methoils  considered  here  have  been  subsequently  l•mp|oyed  by 
(Ireiner  to  establish  the  soundness  of  the  "weak  polytnorpliism'  type  discipline  implement  ei|  m  the  Siaiul.iril 
.ML  of  New  Jersey  compiler  [1],  Our  approach  was  influenced  by  the  work  of  Wright  anil  I'elleisen  [IdJ  who 
pioneered  the  use  of  reduction  semantics  to  prove  sournliiess  of  type  .assigmiient  sysiem.s 

Several  important  studies  of  the  problem  of  combining  polytiioriihic  ty|>e  mfereiice  and  computational 
effects  (including  mutable  references)  have  been  conducted  in  recent  years.  I'he  interested  reader  ts  referred 
to  the  work  of  Oifford.  Jouvelot  and  Talpin  [ti.  Oj.  Leroy  and  Weiss  [7],  Wright  [Tj].  Iloatig.  Mitchell,  and 
V'iswanathan  [.ij.  anti  Oreiner  [d]  for  further  <letails  ami  references. 

The  author  is  grateful  to  .Matthias  Felleisen.  Amirew  Wright,  ami  Jolm  Oremer  for  their  comments  and 
suggestions. 
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